Re: 0 Day Exploit
So the question is, should we blackmail companies who don't issue fixes.
This was widely debated in the infosec community - particularly among the white hats - back in the '90s and early '00s. That's why we have things like RFPolicy. Every software vendor should be aware that there are researchers who will disclose vulnerabilities and exploits if the vendor doesn't respond in a timely fashion. That's been widespread practice for more than a decade - precisely because history amply demonstrates that's what it takes to make vendors behave responsibly.
Biting the hand that feeds IT
